Application Gateway uses WAF SKU

March 21, 2025 ยท View on GitHub

SYNOPSIS

Internet accessible Application Gateways should use protect endpoints with WAF.

DESCRIPTION

Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.

To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.

RECOMMENDATION

Consider deploying Application Gateways with a WAF SKU to protect against common attacks.

EXAMPLES

Configure with Azure template

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

For example:

{
    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "appGw-001",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "WAF_v2",
            "tier": "WAF_v2"
        },
        "webApplicationFirewallConfiguration": {
            "enabled": true,
            "firewallMode": "Prevention",
            "ruleSetType": "OWASP",
            "ruleSetVersion": "3.2",
            "disabledRuleGroups": [],
            "requestBodyCheck": true,
            "maxRequestBodySizeInKb": 128,
            "fileUploadLimitInMb": 100
        }
    }
}

Configure with Bicep

To deploy Application Gateways that pass this rule:

  • Deploy an Application Gateway with the WAF or WAF_v2 SKU.

For example:

resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
  name: 'appGw-001'
  location: location
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    webApplicationFirewallConfiguration: {
      enabled: true
      firewallMode: 'Prevention'
      ruleSetType: 'OWASP'
      ruleSetVersion: '3.2'
    }
  }
}

Configure with Azure CLI

az network application-gateway update --sku WAF_v2 -n '<name>' -g '<resource_group>'

Configure with Azure PowerShell

$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'